I’m using RouterOS 4.16 and I have a certificate with its associated private key which isn’t protected by a passphrase ( when I imported them I entered a blank passphrase ).
After backing up and restoring, the certifcate appears as if it were encrypted ( /certificate print > starts with a column QR instead of KR )
I executed the command /certificate decrypt ( entering a blank passphrase ) but remains in the same state and so is useless.
Previously I had RouterOS 4.5 version and I hadn’t this problem.
Thanks in advance for any help.
I would recommend to delete this certificate, copy the certificate and decrypt it.
Thanks, it works, but it is a work around to what seems to be a bug.
The problem is that when a restore is done in a new router from a backup of another router ( with the same RouterOS and firmware versions ), private keys are useless because they can’t be decrypted.
The only case in which decryption works after a restore is when the backup was done in exactly the same hardware ( as far as I could test )
Does anyone know why ?
Thanks for any help.
Yes, you are correct. The Mikrotik Wiki has some information about this: http://wiki.mikrotik.com/wiki/Manual:Configuration_Management#Description
The restoration procedure assumes the cofiguration is restored on the same router, where the backup file was originally created, so it will create partially broken configuration if the hardware has been changed.
Thanks for your answer. So I assume that the only way to create portable backups ( between different hardware ) is using the export command from the highest level of the tree ( i.e. from / )
The problem is that when I try to import an exported configuration it doesn’t work. The router hangs up forever, I can’t even boot from RS232 console. I had to hardware reset the router.
Thanks for any clue.
acaruso, export is not exporting any decrypted certificate, as well /user passwords are not exported by /export.
Thanks for your answer, but my question was another: Why an export done from / fails when it is imported ( it hangs forever ) ?
Again, the Mikrotik Wiki is a good resource, it covers this as well: http://wiki.mikrotik.com/wiki/Manual:Configuration_Management#Importing_Configuration
Note that it is impossible to import the whole router configuration using this feature. It can only be used to import a part of configuration (for example, firewall rules) in order to spare you some typing.
Thanks, but in that case the conclusion is that it is impossible to backup and restore blindly from one hardware to another even in the case they have exactly the same router os version, because
a) /system backup is only reliable within the same hardware.
b) /export /import is “partial”
When you have many routers in your network and you try to minimize incident response time as a consequence of a hardware failure, having to manually retype router configuration is not an acceptable manteinance procedure.
Agreed, maybe I should whip something up 
Has this issue been resolved? or does anybody have an update on it?
Cheers
Mark
Hi,
I wonder if this issue is still open.
Thanks,
For security reasons you need to restore (decrypt) certificate separately from backup or import file configuration restore.
Please note my post on Jan 6 2011
The only case in which decryption works after a restore is when the backup was done in exactly the same hardware ( as far as I could test )
That’s the problem I am trying to solve:
I want to restore from a backup in a brand new harware.
I know the passphrase of the certificate/key saved in the backup.
It doesn’t decrypt.
acaruso, upload certificate files to the router (from the “scratch”) and decrypt necessary files.
Sergej,
I knew that way but it is a work arount to avoid a bug: key decryption doesn’t work after restoring a backup, you must have “also” the certificate / key files and import them again.
Regards,
acaruso,
Your private key is bound somehow to either the OS instance, or the hardware it’s installed on.
Basically, this means, you cannot decrypt the certificate as it in inaccessible outside RouterOS.
In short, you cannot restore full certificate data across multiple devices, or multiple RouterOS instances.
Doug,
To be clear:
I have routerboard A, with a certificate/key pair, I back it up, I copy the backup to router B ( same model and OS version ), restore the backup, try to decrypt certificate but it fails.
Is this normal behaviour ?
The only “solution” I found is, after restoring, deleting the unencrypted key, copying aside the certificate/key pair, importing them and finally decrypting, but this implies that backup files don’t contain everything needed to restore.
So the conclusion is that, in an environment where you have many routers, you must provide your manteinance staff not only with the backups files but also with the cerificate/key pairs.
So the conclusion is that, in an environment where you have many routers, you must provide your manteinance staff not only with the backups files but also with the cerificate/key pairs.
Yes, currently it is correct.
I’m on 5.22 and trying to configure nightly conf sync between routers but after it certificates became QR state 
Both routers are identical RB1200
Any chances to fix it or workaround?